Cyber Resilience

CVE-2021-47901

MediumPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2021-47901 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47901 is a CSV injection vulnerability affecting Dirsearch version 0.4.1, a directory and file path brute-forcer tool. The flaw arises when the --csv-report flag is used to generate reports, enabling attackers to inject malicious formulas via redirected endpoints. Specifically, attackers can craft server redirects containing comma-separated paths embedded with Excel formulas, which manipulate the output CSV file. The vulnerability is rated at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1236.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity over the network. By controlling a server that Dirsearch queries during a scan, an attacker redirects requests to paths with injected formulas (e.g., =cmd|' /C calc'!A0), which are written unescaped into the CSV report. When a victim opens the report in spreadsheet software like Excel, the formulas execute, potentially leading to arbitrary code execution, data exfiltration, or other impacts aligned with the high confidentiality, integrity, and availability ratings.

Advisories and references provide additional details on exploitation and mitigation. The Vulncheck advisory at https://www.vulncheck.com/advisories/dirsearch-csv-injection outlines the issue, while an exploit proof-of-concept is available at https://www.exploit-db.com/exploits/49370. The Dirsearch GitHub repository at https://github.com/maurosoria/dirsearch serves as the primary source for checking updates or patches.

EU & UK References

Vulnerability details

Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

CSV formula injection enables delivery of malicious file (T1204.002) whose embedded commands execute via Windows shell when opened in Excel (T1059.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36941Shared CWE-1236
CVE-2023-51336Shared CWE-1236
CVE-2023-54348Shared CWE-1236
CVE-2025-67851Shared CWE-1236
CVE-2023-51333Shared CWE-1236
CVE-2025-50572Shared CWE-1236
CVE-2026-23873Shared CWE-1236
CVE-2023-51311Shared CWE-1236
CVE-2025-56267Shared CWE-1236
CVE-2023-51319Shared CWE-1236

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the CSV injection flaw in Dirsearch by identifying, patching, and testing updates to prevent formula injection via redirected paths.

prevent

Filters untrusted data from external server redirects before writing to CSV reports, blocking malicious Excel formulas from being included.

prevent

Validates paths received from redirected endpoints to reject those containing formula injection payloads like '=' or commands.

References